Analysis and security protection against CDP protocol attacks

Anyone familiar with Cisco knows that the CDP protocol is a unique Discovery Protocol of Cisco. It can run on all routers and switches produced by Cisco, A router or switch running c d p can know the neighbor port and host name information directly connected to it.

You can also learn some additional information, such as the neighbor's hardware mode number and its performance. In this way, we can obtain the associated vro name, router port information, IOS version information, IOS platform information, and hardware version information through CDP, and related link information to describe the topology of the entire network. At this time, hackers will use CDP to fool the network administrator. The following describes the possible exploitation and Countermeasures of the two targets.

1. Two CDP spoofing types

1. for central management software, various high-end network management software Cisco works, IBM Tivoli, and HP open view rely on CDP to complete Cisco host discovery. If a counterfeit CDP frame is sent, claiming that a Cisco device has appeared on the network, the management software will try to contact it through SNMP and then have the opportunity to capture the SNMPCommunity name string used, this may be the name used by other Cisco devices in the network, and may cause these devices to be attacked. In addition, CDP spoofing can also be used as a prank to distract network administrators.

2. the second goal is to switch CDP data and identify each other after the Cisco IP Phone is opened. The switch uses the CDP notification phone, let it know that the voice traffic will use that VLAN, it is not difficult to find that there is a chance to carry out spoofing attacks, such as injecting CDP frames. In this way, an incorrect VLAN is assigned to the phone.

How are these manually forged CDP frames manufactured? Two tools can be used to forge CDP frames. Next, let's take a look at Yersinia, the CDP tool program on the Linux platform.

Yersinia is a tool that executes Layer 2 attacks and helps black box testers check the reliability of Layer 2 protocol configurations in their daily work. Yersinia can operate the L2 network protocol and allow attackers to block the switch from injecting pseudo Spanning Tree Protocol, DHCP, VLAN relay protocol and other information into the network.

Installation Method:

Tar zxvf yersinia-0.7.tar.gz

./Configure; make install
Start Yersinia on the GUI and enter "Yersinia-G". Start Yersinia-I on the Character interface"

498) this. style. width = 498; "border = 0>

Ii. Defense Measures

The vswitch/vro running CDP regularly broadcasts packets with CDP update data. The cdp timer command is used to determine the data update interval of CDP. The default value is 60 seconds, and CDP is enabled by default.
Diagnostic output information for CDP data packets on a Cisco Catalyst 2924 switch. The switch sends CDP data packets on each active interface.

SW # debug cdp packet
03:36:26 CDP-PA Packet received form R1 on interface FastEthernet0/5
03:36:26 ** Entry found in cache **
03:36:30 CDP-PA version 2 packet sent out on FastEthernet 0/1
03:36:30 CDP-PA version 2 packet sent out on FastEthernet 0/2
03:36:30 CDP-PA version 2 packet sent out on FastEthernet 0/3
03:36:30 CDP-PA version 2 packet sent out on FastEthernet 0/4

How can we disable CDP?

No cdp enable must be used in global vswitch/vro mode.
For Cisco CatOS, use set cdp disable to disable CDP.